System and method for diverting established communication sessions on the basis of content

1. A method for diverting an established communication session comprising: examining said established communication session at a traffic switching element between a first node and a second node while allowing one or more packets to flow bidirectionally between said first node and said second node; tracking a progression of the established communication session at a state session manager at the traffic switching element; updating in the session state manager at the traffic switching element the state of said established communication session based on said one or more packets; determining a protocol of said established communication session from a plurality of protocols based on said one or more packets; determining, at the traffic switching element, if the protocol matches a pattern that indicates a protocol of interest; if the protocol matches and a current state of the established communication session is equivalent to an inspect state, at the traffic switching element, diverting traffic from said first node or said second node to a divert host, by initiating and establishing a new communication session with said divert host by, at the traffic switching element, terminating the connection to said first or second node and splicing said established communication session with said new communication session by adapting subsequent packets, at the traffic switching element, for the first node, second node, or divert host to the current state of the established communication session, wherein if the established communication session uses TCP, the adapting subsequent packets comprises: remapping sequence numbers and acknowledgment numbers, based upon the difference between the initial sequence numbers of the node the divert host is replacing and the divert host; and rescaling window size based upon the difference between window scale values of the node the divert host is replacing and the divert host.

2. The method of claim 1 further comprising tagging packets delivered to said divert host said tagging indicating a communication protocol.

3. The method of claim 1 further comprising maintaining a plurality of session state records in said session state manager to permit a plurality of simultaneous communication sessions to be examined.

4. The method of claim 1 further comprising if the protocol of the established communication session does not match a pattern that indicates a protocol of interest, allowing the communication session to proceed without establishing a new communication session.

5. The method of claim 1 wherein the tracking of the progression of the established communication session comprises: creating a new session state record if at least one of the packets comprises a SYN flag set.

6. The method of claim 1 wherein the current state of the session is maintained as the inspect state until the traffic switching element determines whether to allow or divert the established communication session.

7. The method of claim 1 further comprising: updating the state of the new communication session in the state session manager to a divert state.

8. A non-transitory computer readable storage medium containing instructions, which, when executed on a computing device, cause the computing device to execute a method, for diverting an established communication session comprising: examining said established communication session at a traffic switching element between a first node and a second node while allowing one or more packets to flow bidirectionally between said first node and said second node; tracking a progression of the established communication session at a state session manager at the traffic switching element; updating in the session state manager at the traffic switching element the state of said established communication session based on said one or more packets; determining a protocol of said established communication session from a plurality of protocols based on said one or more packets; determining, at the traffic switching element, if the protocol matches a pattern that indicates a protocol of interest; if the protocol matches and a current state of the established communication session is equivalent to an inspect state, at the traffic switching element, diverting traffic from said first node or said second node to a divert host, by initiating and establishing a new communication session with said divert host by, at the traffic switching element, terminating the connection to said first or second node and splicing said established communication session with said new communication session by adapting subsequent packets, at the traffic switching element, for the first node, second node, or divert host to the current state of the established communication session, wherein if the established communication session uses TCP, the adapting subsequent packets comprises: remappinq sequence numbers and acknowledgment numbers, based upon the difference between the initial sequence numbers of the node the divert host is replacing and the divert host; and rescaling window size based upon the difference between window scale values of the node the divert host is replacing and the divert host.

9. A method for diverting an established communication session between a first node and a second node comprising: examining the established communication session at a monitoring point between the first node and second node while allowing one or more packets to flow bidirectionally between the first node and the second node via the monitoring point; tracking a progression of the established communication session at a state session manager at the monitoring point; updating in the session state manager at the monitoring point the state of the established communication session based on the one or more packets; determining a protocol of the established communication session at the monitoring point based on the one or more packets; determining at the monitoring point if the protocol matches a pattern that indicates a protocol of interest; if the protocol matches and a current state of the established communication session is equivalent to an inspect state: initiating and establishing, at the monitoring point, a new communication session between the monitoring point and a divert host; and terminating, at the monitoring point, the connection between the monitoring point and one of the first or second node and splicing the established communication session with said new communication session by adapting packets in the spliced communication session based on the retained state of the established communication session and without sending all previously sent packets of the established communication session, wherein if the established communication session uses TCP, the adapting subsequent packets comprises: remapping sequence numbers and acknowledgment numbers, based upon the difference between the initial sequence numbers of the node the divert host is replacing and the divert host; and rescaling window size based upon the difference between window scale values of the node the divert host is replacing and the divert host.